Moderators: Elvis, DrVolin, Jeff
By DAVID E. SANGER and ERIC SCHMITT
October 25, 2015
WASHINGTON — Russian submarines and spy ships are aggressively operating near the vital undersea cables that carry almost all global Internet communications, raising concerns among some American military and intelligence officials that the Russians might be planning to attack those lines in times of tension or conflict.
The issue goes beyond old worries during the Cold War that the Russians would tap into the cables — a task American intelligence agencies also mastered decades ago. The alarm today is deeper: The ultimate Russian hack on the United States could involve severing the fiber-optic cables at some of their hardest-to-access locations to halt the instant communications on which the West’s governments, economies and citizens have grown dependent.
While there is no evidence yet of any cable cutting, the concern is part of a growing wariness among senior American and allied military and intelligence officials over the accelerated activity by Russian armed forces around the globe. At the same time, the internal debate in Washington illustrates how the United States is increasingly viewing every Russian move through a lens of deep distrust, reminiscent of relations during the Cold War.
Inside the Pentagon and the nation’s spy agencies, the assessments of Russia’s growing naval activities are highly classified and not publicly discussed in detail. American officials are secretive about what they are doing both to monitor the activity and to find ways to recover quickly if cables are cut. But more than a dozen officials confirmed in broad terms that it had become the source of significant attention in the Pentagon.
Grizzly » Mon Oct 26, 2015 9:18 pm wrote:decentralization cannot happen fast enough (any way to have RI decentralized ?)
I couldn't figure out, where to put this as it could very well go under simultaneous topics ...
Russian Ships Near Data Cables Are Too Close for U.S. Comfort
http://mobile.nytimes.com/2015/10/26/wo ... 2&referer=By DAVID E. SANGER and ERIC SCHMITT
October 25, 2015
WASHINGTON — Russian submarines and spy ships are aggressively operating near the vital undersea cables that carry almost all global Internet communications, raising concerns among some American military and intelligence officials that the Russians might be planning to attack those lines in times of tension or conflict.
The issue goes beyond old worries during the Cold War that the Russians would tap into the cables — a task American intelligence agencies also mastered decades ago. The alarm today is deeper: The ultimate Russian hack on the United States could involve severing the fiber-optic cables at some of their hardest-to-access locations to halt the instant communications on which the West’s governments, economies and citizens have grown dependent.
While there is no evidence yet of any cable cutting, the concern is part of a growing wariness among senior American and allied military and intelligence officials over the accelerated activity by Russian armed forces around the globe. At the same time, the internal debate in Washington illustrates how the United States is increasingly viewing every Russian move through a lens of deep distrust, reminiscent of relations during the Cold War.
Inside the Pentagon and the nation’s spy agencies, the assessments of Russia’s growing naval activities are highly classified and not publicly discussed in detail. American officials are secretive about what they are doing both to monitor the activity and to find ways to recover quickly if cables are cut. But more than a dozen officials confirmed in broad terms that it had become the source of significant attention in the Pentagon.
Looks like China is hotting up, too:
Powerful NSA hacking tools have been revealed online
By Ellen Nakashima August 16 at 6:52 PM
Some of the most powerful espionage tools created by the National Security Agency’s elite group of hackers have been revealed in recent days, a development that could pose severe consequences for the spy agency’s operations and the security of government and corporate computers.
A cache of hacking tools with code names such as Epicbanana, Buzzdirection and Egregiousblunder appeared mysteriously online over the weekend, setting the security world abuzz with speculation over whether the material was legitimate.
The file appeared to be real, according to former NSA personnel who worked in the agency’s hacking division, known as Tailored Access Operations (TAO).
“Without a doubt, they’re the keys to the kingdom,” said one former TAO employee, who spoke on the condition of anonymity to discuss sensitive internal operations. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.”
Said a second former TAO hacker who saw the file: “From what I saw, there was no doubt in my mind that it was legitimate.”
The file contained 300 megabytes of information, including several “exploits,” or tools for taking control of firewalls in order to control a network, and a number of implants that might, for instance, exfiltrate or modify information.
The exploits are not run-of-the-mill tools to target everyday individuals. They are expensive software used to take over firewalls, such as Cisco and Fortinet, that are used “in the largest and most critical commercial, educational and government agencies around the world,” said Blake Darche, another former TAO operator and now head of security research at Area 1 Security.
The software apparently dates back to 2013 and appears to have been taken then, experts said, citing file creation dates, among other things.
“What’s clear is that these are highly sophisticated and authentic hacking tools,” said Oren Falkowitz, chief executive of Area 1 Security and another former TAO employee.
Several of the exploits were pieces of computer code that took advantage of “zero-day” or previously unknown flaws or vulnerabilities in firewalls, which appear to be unfixed to this day, said one of the former hackers.
The disclosure of the file means that at least one other party — possibly another country’s spy agency — has had access to the same hacking tools used by the NSA and could deploy them against organizations that are using vulnerable routers and firewalls. It might also see what the NSA is targeting and spying on. And now that the tools are public, as long as the flaws remain unpatched, other hackers can take advantage of them, too.
The NSA did not respond to requests for comment.
“Faking this information would be monumentally difficult, there is just such a sheer volume of meaningful stuff,” Nicholas Weaver, a computer security researcher at the University of California at Berkeley, said in an interview. “Much of this code should never leave the NSA.”
The tools were posted by a group calling itself the Shadow Brokers using file-sharing sites such as BitTorrent and DropBox.
As is typical in such cases, the true identity of whoever put the tools online remains hidden. Attached to the cache was an “auction” note that purported to be selling a second set of tools to the highest bidder: “!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies cyber weapons?”
The group also said that if the auction raised 1 million bitcoins — equivalent to roughly $500 million — it would release the second file to the world.
The auction “is a joke,” Weaver said. “It’s designed to distract. It’s total nonsense.” He said that “bitcoin is so traceable that a Doctor Evil scheme of laundering $1 million, let alone $500 million, is frankly lunacy.”
One of the former TAO operators said he suspected that whoever found the tools doesn’t have everything. “The stuff they have there is super-duper interesting, but it is by far not the most interesting stuff in the tool set,” he said. “If you had the rest of it, you’d be leading off with that, because you’d be commanding a much higher rate.”
TAO, a secretive unit that helped craft the digital weapon known as Stuxnet, has grown in the past decade or so from several hundred to more than 2,000 personnel at the NSA’s Fort Meade, Md., headquarters. The group dates to the early 1990s. Its moniker, Tailored Access Organization, suggests a precision of technique that some officials have likened to brain surgery. Its name also reflects how coding whizzes create exquisite tools from scratch, in the same way a fine tailor takes a bolt of wool and fashions a bespoke suit — only the computer geeks more often work in jeans and T-shirts. “We break out the Nerf guns and have epic Nerf gun fights,” one of the former hackers said.
Some former agency employees suspect that the leak was the result of a mistake by an NSA operator, rather than a successful hack by a foreign government of the agency’s infrastructure.
When NSA personnel hack foreign computers, they don’t move directly from their own covert systems to the targets’, fearing that the attack would be too easy to trace. They use a form of proxy server called a “redirector” that masks the hackers’ origin. They use one or more such servers to make it difficult to trace a hack.
“NSA is often lurking undetected for years on the . . . [proxy hops] of state hackers,” former agency contractor Edward Snowden tweeted Tuesday. “This is how we follow their operations.”
At the same time, other spy services, like Russia’s, are doing the same thing to the United States.
It is not unprecedented for a TAO operator to accidentally upload a large file of tools to a redirector, one of the former employees said. “What’s unprecedented is to not realize you made a mistake,” he said. “You would recognize, ‘Oops, I uploaded that set’ and delete it.”
Critics of the NSA have suspected that the agency, when it discovers a software vulnerability, frequently does not disclose it, thereby putting at risk the cybersecurity of anyone using that product. The file disclosure shows why it’s important to tell software-makers when flaws are detected, rather than keeping them secret, one of the former agency employees said, because now the information is public, available for anyone to employ to hack widely used Internet infrastructure.
Snowden, Weaver and some of the former NSA hackers say they suspect Russian involvement in the release of the cache, though no one has offered hard evidence. They say the timing — in the wake of high-profile disclosures of Russian government hacking of the Democratic National Committee and other party organizations — is notable.
Tweeted Snowden: “Circumstantial evidence and conventional wisdom indicates Russian responsibility.” He said that the disclosure “is likely a warning that someone can prove U.S. responsibility for any attacks that originated from this” redirector or malware server by linking it to the NSA.
“This could have significant foreign policy consequences,” he said in another tweet. “Particularly if any of those operations targeted U.S. allies” or their elections.
“Accordingly,” he tweeted, “this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.”
In other words, he tweeted, it looks like “somebody sending a message” that retaliating against Russia for its hacks of the political organizations “could get messy fast.”
82_28 » Tue Oct 27, 2015 12:41 am wrote:I looked into TOR just to "test it out" -- see if it worked back when it was announced, god how many years ago by now? Even though it was DARPA funded and shit, I just wanted to see. I never got it to work and lost interest. So I found RI and other sites on the Light Web in order to sell my great cache of weapons, drugs and children.
Anybody want a rocket launcher? CHEAP. Warranty still applies. $1000 OBO.
Really who gives a fuck anymore? There's literally nothing we can do without the web. But I will say there are layers to it and I won't use no DARPA shit. I'd like DARPA to bring back Napster though. That'd be rad.
Twitter, Reddit, Spotify Were Collateral Damage In Major Internet Attack
Written by
LORENZO FRANCESCHI-BICCHIERAI
STAFF WRITER
October 21, 2016 // 10:48 AM EST
Twitter, Reddit, Github, Spotify, and many others were knocked offline intermittently on Friday morning as a result of a cyberattack on a large internet infrastructure provider.
The popular websites became the collateral damage of a “global” Distributed Denial of Service or DDoS attack on Dyn, a company that provides core internet services for those popular websites. The attack mainly targeted Dyn’s Domain Name System (DNS) management services infrastructure on the East Coast of the United States, as the company explained in a statement.
Read more: Criminal Hackers Have Launched a ‘Turf War’ Over the Internet of Shit
DNS is essentially the internet’s phone book. When you type Twitter.com on your browser DNS servers turn that URL into an IP address and serve you the site’s content. Due to the fact that Dyn provides DNS management services to a lot of companies on the internet, the attack spread beyond the company and knocked offline other parts of the internet, as collateral damage.
“We are a major DNS service provider," Doug Madory, director of internet analysis at Dyn, told Motherboard. “When a DNS service provider gets attacked then parts of the DNS system stop working and people can’t access websites.”
Madory also said that there was “no doubt” that Dyn was the primary target of the attack.
At this point, it’s unclear who’s behind the attack or the what were their motives. But as security journalist Brian Krebs noted, Dyn’s researcher Madory teamed up with him on research investigating the “sometimes blurry lines between certain DDoS mitigation firms and the cybercriminals apparently involved in launching some of the largest DDoS attacks the Internet.”
Krebs, however, noted that there’s no data to clearly link Dyn’s previous work with the attack on Friday.
The attack on Dyn came a few weeks after criminals used a massive botnet made of Internet of Things devices infected with malware to target Krebs himself, forcing him to take down his website. At this point, it’s unclear if the DDoS on Dyn was carried out with that botnet, which is powered by malware known as Mirai, but some were already speculating that was the case.
“When a DNS service provider gets attacked then parts of the DNS system stop working and people can’t access websites.”
Marshal Webb, the chief technology officer of BackConnect, an anti-DDoS firm that was also investigated by Krebs and Madory, explained that Mirai has capabilities to target and overwhelm DNS servers.
“Someone has probably achieved hegemony with the Mirai source and slapped DYN to either hit them directly or a customer downstream,” Webb told Motherboard in an online chat. “Nothing else would have enough legitimate devices to saturate DNS queries.”
At around 9:45 am ET, Dyn reported that all services were “restored to normal.” But as of this time, no one knows exactly who was behind the attacks or how they did it, and Dyn said they had no other details to provide.
UPDATE, 10/21/2016, 5:15 p.m. ET: A botnet of hacked Internet of Things devices powered by the malware Mirai is at least in part responsible for the outages, according to an internet backbone provider and a security company.
Britain has passed the 'most extreme surveillance law ever passed in a democracy'
The law forces UK internet providers to store browsing histories -- including domains visited -- for one year, in case of police investigations.
It's 2016 going on 1984.
The UK has just passed a massive expansion in surveillance powers, which critics have called "terrifying" and "dangerous".
The new law, dubbed the "snoopers' charter", was introduced by then-home secretary Theresa May in 2012, and took two attempts to get passed into law following breakdowns in the previous coalition government.
Four years and a general election later -- May is now prime minister -- the bill was finalized and passed on Wednesday by both parliamentary houses.
But civil liberties groups have long criticized the bill, with some arguing that the law will let the UK government "document everything we do online".
It's no wonder, because it basically does.
The law will force internet providers to record every internet customer's top-level web history in real-time for up to a year, which can be accessed by numerous government departments; force companies to decrypt data on demand -- though the government has never been that clear on exactly how it forces foreign firms to do that that; and even disclose any new security features in products before they launch.
Not only that, the law also gives the intelligence agencies the power to hack into computers and devices of citizens (known as equipment interference), although some protected professions -- such as journalists and medical staff -- are layered with marginally better protections.
In other words, it's the "most extreme surveillance law ever passed in a democracy," according to Jim Killock, director of the Open Rights Group.
The bill was opposed by representatives of the United Nations, all major UK and many leading global privacy and rights groups, and a host of Silicon Valley tech companies alike. Even the parliamentary committee tasked with scrutinizing the bill called some of its provisions "vague".
And that doesn't even account for the three-quarters of people who think privacy, which this law almost entirely erodes, is a human right.
There are some safeguards, however, such as a "double lock" system so that the secretary of state and an independent judicial commissioner must agree on a decision to carry out search warrants (though one member of the House of Lords disputed that claim).
A new investigatory powers commissioner will also oversee the use of the powers.
Despite the uproar, the government's opposition failed to scrutinize any significant amendments and abstained from the final vote. Killock said recently that the opposition Labour party spent its time "simply failing to hold the government to account".
But the government has downplayed much of the controversy surrounding the bill. The government has consistently argued that the bill isn't drastically new, but instead reworks the old and outdated Regulation of Investigatory Powers Act (RIPA). This was brought into law in 2000, to "legitimize" new powers that were conducted or ruled on in secret, like collecting data in bulk and hacking into networks, which was revealed during the Edward Snowden affair.
Much of those activities were only possible thanks to litigation by one advocacy group, Privacy International, which helped push these secret practices into the public domain while forcing the government to scramble to explain why these practices were legal.
The law will be ratified by royal assent in the coming weeks.
ANDY GREENBERG
SECURITY
06.20.1706:00 AM
HOW AN ENTIRE NATION BECAME RUSSIA'S TEST LAB FOR CYBERWAR
The clocks read zero when the lights went out.
It was a Saturday night last December, and Oleksii Yasinsky was sitting on the couch with his wife and teenage son in the living room of their Kiev apartment. The 40-year-old Ukrainian cybersecurity researcher and his family were an hour into Oliver Stone’s film Snowden when their building abruptly lost power.
“The hackers don’t want us to finish the movie,” Yasinsky’s wife joked. She was referring to an event that had occurred a year earlier, a cyberattack that had cut electricity to nearly a quarter-million Ukrainians two days before Christmas in 2015. Yasinsky, a chief forensic analyst at a Kiev digital security firm, didn’t laugh. He looked over at a portable clock on his desk: The time was 00:00. Precisely midnight.
Yasinsky’s television was plugged into a surge protector with a battery backup, so only the flicker of images onscreen lit the room now. The power strip started beeping plaintively. Yasinsky got up and switched it off to save its charge, leaving the room suddenly silent.
He went to the kitchen, pulled out a handful of candles and lit them. Then he stepped to the kitchen window. The thin, sandy-blond engineer looked out on a view of the city as he’d never seen it before: The entire skyline around his apartment building was dark. Only the gray glow of distant lights reflected off the clouded sky, outlining blackened hulks of modern condos and Soviet high-rises.
Noting the precise time and the date, almost exactly a year since the December 2015 grid attack, Yasinsky felt sure that this was no normal blackout. He thought of the cold outside—close to zero degrees Fahrenheit—the slowly sinking temperatures in thousands of homes, and the countdown until dead water pumps led to frozen pipes.
That’s when another paranoid thought began to work its way through his mind: For the past 14 months, Yasinsky had found himself at the center of an enveloping crisis. A growing roster of Ukrainian companies and government agencies had come to him to analyze a plague of cyberattacks that were hitting them in rapid, remorseless succession. A single group of hackers seemed to be behind all of it. Now he couldn’t suppress the sense that those same phantoms, whose fingerprints he had traced for more than a year, had reached back, out through the internet’s ether, into his home.
The Cyber-Cassandras said this would happen. For decades they warned that hackers would soon make the leap beyond purely digital mayhem and start to cause real, physical damage to the world. In 2009, when the NSA’s Stuxnet malware silently accelerated a few hundred Iranian nuclear centrifuges until they destroyed themselves, it seemed to offer a preview of this new era. “This has a whiff of August 1945,” Michael Hayden, former director of the NSA and the CIA, said in a speech. “Somebody just used a new weapon, and this weapon will not be put back in the box.”
Now, in Ukraine, the quintessential cyberwar scenario has come to life. Twice. On separate occasions, invisible saboteurs have turned off the electricity to hundreds of thousands of people. Each blackout lasted a matter of hours, only as long as it took for scrambling engineers to manually switch the power on again. But as proofs of concept, the attacks set a new precedent: In Russia’s shadow, the decades-old nightmare of hackers stopping the gears of modern society has become a reality.
And the blackouts weren’t just isolated attacks. They were part of a digital blitzkrieg that has pummeled Ukraine for the past three years—a sustained cyberassault unlike any the world has ever seen. A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, energy. Wave after wave of intrusions have deleted data, destroyed computers, and in some cases paralyzed organizations’ most basic functions. “You can’t really find a space in Ukraine where there hasn’t been an attack,” says Kenneth Geers, a NATO ambassador who focuses on cybersecurity.
In a public statement in December, Ukraine’s president, Petro Poroshenko, reported that there had been 6,500 cyberattacks on 36 Ukrainian targets in just the previous two months. International cybersecurity analysts have stopped just short of conclusively attributing these attacks to the Kremlin, but Poroshenko didn’t hesitate: Ukraine’s investigations, he said, point to the “direct or indirect involvement of secret services of Russia, which have unleashed a cyberwar against our country.” (The Russian foreign ministry didn’t respond to multiple requests for comment.)
To grasp the significance of these assaults—and, for that matter, to digest much of what’s going on in today’s larger geopolitical disorder—it helps to understand Russia’s uniquely abusive relationship with its largest neighbor to the west. Moscow has long regarded Ukraine as both a rightful part of Russia’s empire and an important territorial asset—a strategic buffer between Russia and the powers of NATO, a lucrative pipeline route to Europe, and home to one of Russia’s few accessible warm-water ports. For all those reasons, Moscow has worked for generations to keep Ukraine in the position of a submissive smaller sibling.
But over the past decade and a half, Moscow’s leash on Ukraine has frayed, as popular support in the country has pulled toward NATO and the European Union. In 2004, Ukrainian crowds in orange scarves flooded the streets to protest Moscow’s rigging of the country’s elections; that year, Russian agents allegedly went so far as to poison the surging pro-Western presidential candidate Viktor Yushchenko. A decade later, the 2014 Ukrainian Revolution finally overthrew the country’s Kremlin-backed president, Viktor Yanukovych (a leader whose longtime political adviser, Paul Manafort, would go on to run the US presidential campaign of Donald Trump). Russian troops promptly annexed the Crimean Peninsula in the south and invaded the Russian-speaking eastern region known as Donbass. Ukraine has since then been locked in an undeclared war with Russia, one that has displaced nearly 2 million internal refugees and killed close to 10,000 Ukrainians.
“Russia will never accept a sovereign, independent Ukraine. Twenty-five years since the Soviet collapse, Russia is still sick with this imperialistic syndrome.”
From the beginning, one of this war’s major fronts has been digital. Ahead of Ukraine’s post-revolution 2014 elections, a pro-Russian group calling itself CyberBerkut—an entity with links to the Kremlin hackers who later breached Democratic targets in America’s 2016 presidential election—rigged the website of the country’s Central Election Commission to announce ultra-right presidential candidate Dmytro Yarosh as the winner. Administrators detected the tampering less than an hour before the election results were set to be declared. And that attack was just a prelude to Russia’s most ambitious experiment in digital war, the barrage of cyberattacks that began to accelerate in the fall of 2015 and hasn’t ceased since.
Yushchenko, who ended up serving as Ukraine’s president from 2005 to 2010, believes that Russia’s tactics, online and off, have one single aim: “to destabilize the situation in Ukraine, to make its government look incompetent and vulnerable.” He lumps the blackouts and other cyberattacks together with the Russian disinformation flooding Ukraine’s media, the terroristic campaigns in the east of the country, and his own poisoning years ago—all underhanded moves aimed at painting Ukraine as a broken nation. “Russia will never accept Ukraine being a sovereign and independent country,” says Yushchenko, whose face still bears traces of the scars caused by dioxin toxicity. “Twenty-five years since the Soviet collapse, Russia is still sick with this imperialistic syndrome.”
But many global cybersecurity analysts have a much larger theory about the endgame of Ukraine’s hacking epidemic: They believe Russia is using the country as a cyberwar testing ground—a laboratory for perfecting new forms of global online combat. And the digital explosives that Russia has repeatedly set off in Ukraine are ones it has planted at least once before in the civil infrastructure of the United States.
One Sunday morning in October 2015, more than a year before Yasinsky would look out of his kitchen window at a blacked-out skyline, he sat near that same window sipping tea and eating a bowl of cornflakes. His phone rang with a call from work. He was then serving as the director of information security at StarLightMedia, Ukraine’s largest TV broadcasting conglomerate. During the night, two of StarLight’s servers had inexplicably gone offline. The IT administrator on the phone assured him that the servers had already been restored from backups.
But Yasinsky felt uneasy. The two machines had gone dark at almost the same minute. “One server going down, it happens,” Yasinsky says. “But two servers at the same time? That’s suspicious.”
Resigned to a lost weekend, he left his apartment and took the 40-minute metro ride to StarLightMedia’s office. When he got there, Yasinsky and the company’s IT admins examined the image they’d kept of one of the corrupted servers. Its master boot record, the deep-seated, reptile-brain portion of a computer’s hard drive that tells the machine where to find its own operating system, had been precisely overwritten with zeros. This was especially troubling, given that the two victim servers were domain controllers, computers with powerful privileges that could be used to reach into hundreds of other machines on the corporate network.
Yasinsky printed the code and laid the papers across his kitchen table and floor. He'd been in information security for 20 years, but he’d never analyzed such a refined digital weapon.
Yasinsky quickly discovered the attack was indeed far worse than it had seemed: The two corrupted servers had planted malware on the laptops of 13 StarLight employees. The infection had triggered the same boot-record overwrite technique to brick the machines just as staffers were working to prepare a morning TV news bulletin ahead of the country’s local elections.
Nonetheless, Yasinsky could see he’d been lucky. Looking at StarLight’s network logs, it appeared the domain controllers had committed suicide prematurely. They’d actually been set to infect and destroy 200 more PCs at the company. Soon Yasinsky heard from a competing media firm called TRK that it had been less fortunate: That company lost more than a hundred computers to an identical attack.
Yasinsky managed to pull a copy of the destructive program from StarLight’s network. Back at home, he pored over its code. He was struck by the layers of cunning obfuscation—the malware had evaded all antivirus scans and even impersonated an antivirus scanner itself, Microsoft’s Windows Defender. After his family had gone to sleep, Yasinsky printed the code and laid the papers across his kitchen table and floor, crossing out lines of camouflaging characters and highlighting commands to see its true form. Yasinsky had been working in information security for 20 years; he’d managed massive networks and fought off crews of sophisticated hackers before. But he’d never analyzed such a refined digital weapon.
“With every step forward, it became clearer that our Titanic had found its iceberg. The deeper we looked, the bigger it was.”
Beneath all the cloaking and misdirection, Yasinsky figured out, was a piece of malware known as KillDisk, a data-destroying parasite that had been circulating among hackers for about a decade. To understand how it got into their system, Yasinsky and two colleagues at StarLight obsessively dug into the company’s network logs, combing them again and again on nights and weekends. By tracing signs of the hackers’ fingerprints—some compromised corporate YouTube accounts, an administrator’s network login that had remained active even when he was out sick—they came to the stomach-turning realization that the intruders had been inside their system for more than six months. Eventually, Yasinsky identified the piece of malware that had served as the hackers’ initial foothold: an all-purpose Trojan known as BlackEnergy.
Soon Yasinsky began to hear from colleagues at other companies and in the government that they too had been hacked, and in almost exactly the same way. One attack had hit Ukrzaliznytsia, Ukraine’s biggest railway company. Other targets asked Yasinsky to keep their breaches secret. Again and again, the hackers used BlackEnergy for access and reconnaissance, then KillDisk for destruction. Their motives remained an enigma, but their marks were everywhere.
“With every step forward, it became clearer that our Titanic had found its iceberg,” says Yasinsky. “The deeper we looked, the bigger it was.”
Even then, Yasinsky didn’t know the real dimensions of the threat. He had no idea, for instance, that by December 2015, BlackEnergy and KillDisk were also lodged inside the computer systems of at least three major Ukrainian power companies, lying in wait.
CURT MERLO
At first, Robert Lee blamed the squirrels.
It was Christmas Eve 2015—and also, it so happened, the day before Lee was set to be married in his hometown of Cullman, Alabama. A barrel-chested and bearded redhead, Lee had recently left a high-level job at a three-letter US intelligence agency, where he’d focused on the cybersecurity of critical infrastructure. Now he was settling down to launch his own security startup and marry the Dutch girlfriend he’d met while stationed abroad.
As Lee busied himself with wedding preparations, he saw news headlines claiming that hackers had just taken down a power grid in western Ukraine. A significant swath of the country had apparently gone dark for six hours. Lee blew off the story—he had other things on his mind, and he’d heard spurious claims of hacked grids plenty of times before. The cause was usually a rodent or a bird—the notion that squirrels represented a greater threat to the power grid than hackers had become a running joke in the industry.
The next day, however, just before the wedding itself, Lee got a text about the purported cyberattack from Mike Assante, a security researcher at the SANS Institute, an elite cybersecurity training center. That got Lee’s attention: When it comes to digital threats to power grids, Assante is one of the most respected experts in the world. And he was telling Lee that the Ukraine blackout hack looked like the real thing.
The hackers had spread through the power companies’ networks and eventually compromised a VPN used for remote access.
Just after Lee had said his vows and kissed his bride, a contact in Ukraine messaged him as well: The blackout hack was real, the man said, and he needed Lee’s help. For Lee, who’d spent his career preparing for infrastructure cyberattacks, the moment he’d anticipated for years had finally arrived. So he ditched his own reception and began to text with Assante in a quiet spot, still in his wedding suit.
Lee eventually retreated to his mother’s desktop computer in his parents’ house nearby. Working in tandem with Assante, who was at a friend’s Christmas party in rural Idaho, they pulled up maps of Ukraine and a chart of its power grid. The three power companies’ substations that had been hit were in different regions of the country, hundreds of miles from one another and unconnected. “This was not a squirrel,” Lee concluded with a dark thrill.
By that night, Lee was busy dissecting the KillDisk malware his Ukrainian contact had sent him from the hacked power companies, much as Yasinsky had done after the StarLightMedia hack months before. (“I have a very patient wife,” Lee says.) Within days, he’d received a sample of the BlackEnergy code and forensic data from the attacks. Lee saw how the intrusion had started with a phishing email impersonating a message from the Ukrainian parliament. A malicious Word attachment had silently run a script on the victims’ machines, planting the BlackEnergy infection. From that foothold, it appeared, the hackers had spread through the power companies’ networks and eventually compromised a VPN the companies had used for remote access to their network—including the highly specialized industrial control software that gives operators remote command over equipment like circuit breakers.
The same group that snuffed out the lights for nearly a quarter-million Ukrainians had infected American electric utilities with the very same malware.
Looking at the attackers’ methods, Lee began to form a notion of who he was up against. He was struck by similarities between the blackout hackers’ tactics and those of a group that had recently gained some notoriety in the cybersecurity world—a group known as Sandworm. In 2014 the security firm FireEye had issued warnings about a team of hackers that was planting BlackEnergy malware on targets that included Polish energy firms and Ukrainian government agencies; the group seemed to be developing methods to target the specialized computer architectures that are used for remotely managing physical industrial equipment. The group’s name came from references to Dune found buried in its code, terms like Harkonnen and Arrakis, an arid planet in the novel where massive sandworms roam the deserts.
No one knew much about the group’s intentions. But all signs indicated that the hackers were Russian: FireEye had traced one of Sandworm’s distinctive intrusion techniques to a presentation at a Russian hacker conference. And when FireEye’s engineers managed to access one of Sandworm’s unsecured command-and-control servers, they found instructions for how to use BlackEnergy written in Russian, along with other Russian-language files.
Most disturbing of all for American analysts, Sandworm’s targets extended across the Atlantic. Earlier in 2014, the US government reported that hackers had planted BlackEnergy on the networks of American power and water utilities. Working from the government’s findings, FireEye had been able to pin those intrusions, too, on Sandworm.
For Lee, the pieces came together: It looked like the same group that had just snuffed out the lights for nearly a quarter-million Ukrainians had not long ago infected the computers of American electric utilities with the very same malware.
It had been just a few days since the Christmas blackout, and Assante thought it was too early to start blaming the attack on any particular hacker group—not to mention a government. But in Lee’s mind, alarms went off. The Ukraine attack represented something more than a faraway foreign case study. “An adversary that had already targeted American energy utilities had crossed the line and taken down a power grid,” Lee says. “It was an imminent threat to the United States.”
On a cold, bright day a few weeks later, a team of Americans arrived in Kiev. They assembled at the Hyatt, a block from the golden-domed Saint Sophia Cathedral. Among them were staff from the FBI, the Department of Energy, the Department of Homeland Security, and the North American Electric Reliability Corporation, the body responsible for the stability of the US grid, all part of a delegation that had been assigned to get to the bottom of the Ukrainian blackout.
The Feds had also flown Assante in from Wyoming. Lee, a hotter head than his friend, had fought with the US agencies over their penchant for secrecy, insisting that the details of the attack needed to be publicized immediately. He hadn’t been invited.
On that first day, the suits gathered in a sterile hotel conference room with the staff of Kyivoblenergo, the city’s regional power distribution company and one of the three victims of the power grid attacks. Over the next several hours, the Ukrainian company’s stoic execs and engineers laid out the blow-by-blow account of a comprehensive, almost torturous raid on their network.
“The message was, ‘I’m going to make you feel this everywhere.’ These attackers must have seemed like they were gods.”
As Lee and Assante had noticed, the malware that infected the energy companies hadn’t contained any commands capable of actually controlling the circuit breakers. Yet on the afternoon of December 23, Kyivoblenergo employees had watched helplessly as circuit after circuit was opened in dozens of substations across a Massachusetts-sized region, seemingly commanded by computers on their network that they couldn’t see. In fact, Kyivoblenergo’s engineers determined that the attackers had set up their own perfectly configured copy of the control software on a PC in a faraway facility and then had used that rogue clone to send the commands that cut the power.
Once the circuit breakers were open and the power for tens of thousands of Ukrainians had gone dead, the hackers launched another phase of the attack. They’d overwritten the firmware of the substations’ serial-to-ethernet converters—tiny boxes in the stations’ server closets that translated internet protocols to communicate with older equipment. By rewriting the obscure code of those chunks of hardware—a trick that likely took weeks to devise—the hackers had permanently bricked the devices, shutting out the legitimate operators from further digital control of the breakers. Sitting at the conference room table, Assante marveled at the thoroughness of the operation.
The hackers also left one of their usual calling cards, running KillDisk to destroy a handful of the company’s PCs. But the most vicious element of the attack struck the control stations’ battery backups. When the electricity was cut to the region, the stations themselves also lost power, throwing them into darkness in the midst of their crisis. With utmost precision, the hackers had engineered a blackout within a blackout.
“The message was, ‘I’m going to make you feel this everywhere.’ Boom boom boom boom boom boom boom,” Assante says, imagining the attack from the perspective of a bewildered grid operator. “These attackers must have seemed like they were gods.”
That night, the team boarded a flight to the western Ukrainian city of Ivano-Frankivsk, at the foot of the Carpathian Mountains, arriving at its tiny Soviet-era airport in a snowstorm. The next morning they visited the headquarters of Prykarpattyaoblenergo, the power company that had taken the brunt of the pre-Christmas attack.
The power company executives politely welcomed the Americans into their modern building, under the looming smokestacks of the abandoned coal power plant in the same complex. Then they invited them into their boardroom, seating them at a long wooden table beneath an oil painting of the aftermath of a medieval battle.
Before their eyes, phantom hands clicked through dozens of breakers—each serving power to a different swath of the region—and one by one by one, turned them cold.
The attack they described was almost identical to the one that hit Kyivoblenergo: BlackEnergy, corrupted firmware, disrupted backup power systems, KillDisk. But in this operation, the attackers had taken another step, bombarding the company’s call centers with fake phone calls—possibly to delay any warnings of the power outage from customers or simply to add another layer of chaos and humiliation.
There was another difference too. When the Americans asked whether, as in Kiev, cloned control software had sent the commands that shut off the power, the Prykarpattyaoblenergo engineers said no, that their circuit breakers had been opened by another method. That’s when the company’s technical director, a tall, serious man with black hair and ice-blue eyes, cut in. Rather than try to explain the hackers’ methods to the Americans through a translator, he offered to show them, clicking Play on a video he’d recorded himself on his battered iPhone 5s.
The 56-second clip showed a cursor moving around the screen of one of the computers in the company’s control room. The pointer glides to the icon for one of the breakers and clicks a command to open it. The video pans from the computer’s Samsung monitor to its mouse, which hasn’t budged. Then it shows the cursor moving again, seemingly of its own accord, hovering over a breaker and attempting again to cut its flow of power as the engineers in the room ask one another who’s controlling it.
The hackers hadn’t sent their blackout commands from automated malware, or even a cloned machine as they’d done at Kyivoblenergo. Instead, the intruders had exploited the company’s IT helpdesk tool to take direct control of the mouse movements of the stations’ operators. They’d locked the operators out of their own user interface. And before their eyes, phantom hands had clicked through dozens of breakers—each serving power to a different swath of the region—and one by one by one, turned them cold.
In August 2016, eight months after the first Christmas blackout, Yasinsky left his job at StarLightMedia. It wasn’t enough, he decided, to defend a single company from an onslaught that was hitting every stratum of Ukrainian society. To keep up with the hackers, he needed a more holistic view of their work, and Ukraine needed a more coherent response to the brazen, prolific organization that Sandworm had become. “The light side remains divided,” he says of the balkanized reaction to the hackers among their victims. “The dark side is united.”
So Yasinsky took a position as the head of research and forensics for a Kiev firm called Information Systems Security Partners. The company was hardly a big name. But Yasinsky turned it into a de facto first responder for victims of Ukraine’s digital siege.
Not long after Yasinsky switched jobs, almost as if on cue, the country came under another, even broader wave of attacks. He ticks off the list of casualties: Ukraine’s pension fund, the country’s treasury, its seaport authority, its ministries of infrastructure, defense, and finance. The hackers again hit Ukraine’s railway company, this time knocking out its online booking system for days, right in the midst of the holiday travel season. As in 2015, most of the attacks culminated with a KillDisk-style detonation on the target’s hard drive. In the case of the finance ministry, the logic bomb deleted terabytes of data, just as the ministry was preparing its budget for the next year. All told, the hackers’ new winter onslaught matched and exceeded the previous year’s—right up to its grand finale.
On December 16, 2016, as Yasinsky and his family sat watching Snowden, a young engineer named Oleg Zaychenko was four hours into his 12-hour night shift at Ukrenergo’s transmission station just north of Kiev. He sat in an old Soviet-era control room, its walls covered in beige and red floor-to-ceiling analog control panels. The station’s tabby cat, Aza, was out hunting; all that kept Zaychenko company was a television in the corner playing pop music videos.
The 20th and final circuit switched off and the lights in the control room went out, along with the computer and TV.
He was filling out a paper-and-pencil log, documenting another uneventful Saturday evening, when the station’s alarm suddenly sounded, a deafening continuous ringing. To his right Zaychenko saw that two of the lights indicating the state of the transmission system’s circuits had switched from red to green—in the universal language of electrical engineers, a sign that it was off.
The technician picked up the black desk phone to his left and called an operator at Ukrenergo’s headquarters to alert him to the routine mishap. As he did, another light turned green. Then another. Zaychenko’s adrenaline began to kick in. As he hurriedly explained the situation to the remote operator, the lights kept flipping: red to green, red to green. Eight, then 10, then 12.
As the crisis escalated, the operator ordered Zaychenko to run outside and check the equipment for physical damage. At that moment, the 20th and final circuit switched off and the lights in the control room went out, along with the computer and TV. Zaychenko was already throwing a coat over his blue and yellow uniform and sprinting for the door.
The transmission station is normally a vast, buzzing jungle of electrical equipment stretching over 20 acres, the size of more than a dozen football fields. But as Zaychenko came out of the building into the freezing night air, the atmosphere was eerier than ever before: The three tank-sized transformers arrayed alongside the building, responsible for about a fifth of the capital’s electrical capacity, had gone entirely silent. Until then Zaychenko had been mechanically ticking through an emergency mental checklist. As he ran past the paralyzed machines, the thought entered his mind for the first time: The hackers had struck again.
This time the attack had moved up the circulatory system of Ukraine’s grid. Instead of taking down the distribution stations that branch off into capillaries of power lines, the saboteurs had hit an artery. That single Kiev transmission station carried 200 megawatts, more total electric load than all the 50-plus distribution stations knocked out in the 2015 attack combined. Luckily, the system was down for just an hour—hardly long enough for pipes to start freezing or locals to start panicking—before Ukrenergo’s engineers began manually closing circuits and bringing everything back online.
But the brevity of the outage was virtually the only thing that was less menacing about the 2016 blackout. Cybersecurity firms that have since analyzed the attack say that it was far more evolved than the one in 2015: It was executed by a highly sophisticated, adaptable piece of malware now known as "CrashOverride," a program expressly coded to be an automated, grid-killing weapon.
Lee’s critical infrastructure security startup, Dragos, is one of two firms that have pored through the malware's code; Dragos obtained it from a Slovakian security outfit called ESET. The two teams found that, during the attack, CrashOverride was able to “speak” the language of the grid’s obscure control system protocols, and thus send commands directly to grid equipment. In contrast to the laborious phantom-mouse and cloned-PC techniques the hackers used in 2015, this new software could be programmed to scan a victim’s network to map out targets, then launch at a preset time, opening circuits on cue without even having an internet connection back to the hackers. In other words, it's the first malware found in the wild since Stuxnet that's designed to independently sabotage physical infrastructure.
“In 2015 they were like a group of brutal street fighters. In 2016, they were ninjas.”
And CrashOverride isn’t just a one-off tool, tailored only to Ukrenergo’s grid. It’s a reusable and highly adaptable weapon of electric utility disruption, researchers say. Within the malware’s modular structure, Ukrenergo’s control system protocols could easily be swapped out and replaced with ones used in other parts of Europe or the US instead.
Marina Krotofil, an industrial control systems security researcher for Honeywell who also analyzed the Ukrenergo attack, describes the hackers’ methods as simpler and far more efficient than the ones used in the previous year’s attack. “In 2015 they were like a group of brutal street fighters,” Krotofil says. “In 2016, they were ninjas.” But the hackers themselves may be one and the same; Dragos’ researchers have identified the architects of CrashOverride as part of Sandworm, based on evidence that Dragos is not yet ready to reveal.
For Lee, these are all troubling signs of Sandworm’s progress. I meet him in the bare-bones offices of his Baltimore-based critical infrastructure security firm, Dragos. Outside his office window looms a series of pylons holding up transmission lines. Lee tells me that they carry power 18 miles south, to the heart of Washington, DC.
For the first time in history, Lee points out, a group of hackers has shown that it’s willing and able to attack critical infrastructure. They’ve refined their techniques over multiple, evolving assaults. And they’ve already planted BlackEnergy malware on the US grid once before. “The people who understand the US power grid know that it can happen here,” Lee says.
To Sandworm’s hackers, Lee says, the US could present an even more convenient set of targets should they ever decide to strike the grid here. US power firms are more attuned to cybersecurity, but they are also more automated and modern than those in Ukraine—which means they could present more of a digital “attack surface.” And American engineers have less experience with manual recovery from frequent blackouts.
“Tell me what doesn’t change dramatically when key cities across half of the US don’t have power for a month.”
No one knows how, or where, Sandworm’s next attacks will materialize. A future breach might target not a distribution or transmission station but an actual power plant. Or it could be designed not simply to turn off equipment but to destroy it. In 2007 a team of researchers at Idaho National Lab, one that included Mike Assante, demonstrated that it’s possible to hack electrical infrastructure to death: The so-called Aurora experiment used nothing but digital commands to permanently wreck a 2.25-megawatt diesel generator. In a video of the experiment, a machine the size of a living room coughs and belches black and white smoke in its death throes. Such a generator is not all that different from the equipment that sends hundreds of megawatts to US consumers; with the right exploit, it’s possible that someone could permanently disable power-generation equipment or the massive, difficult-to-replace transformers that serve as the backbone of our transmission system. “Washington, DC? A nation-state could take it out for two months without much issue,” Lee says.
In fact, in its analysis of CrashOverride, ESET found that the malware may already include one of the ingredients for that kind of destructive attack. ESET’s researchers noted that CrashOverride contains code designed to target a particular Siemens device found in power stations—a piece of equipment that functions as a kill-switch to prevent dangerous surges on electric lines and transformers. If CrashOverride is able to cripple that protective measure, it might already be able to cause permanent damage to grid hardware.
An isolated incident of physical destruction may not even be the worst that hackers can do. The American cybersecurity community often talks about “advanced persistent threats”—sophisticated intruders who don’t simply infiltrate a system for the sake of one attack but stay there, silently keeping their hold on a target. In his nightmares, Lee says, American infrastructure is hacked with this kind of persistence: transportation networks, pipelines, or power grids taken down again and again by deep-rooted adversaries. “If they did that in multiple places, you could have up to a month of outages across an entire region,” he says. “Tell me what doesn’t change dramatically when key cities across half of the US don’t have power for a month.”
It’s one thing, though, to contemplate what an actor like Russia could do to the American grid; it’s another to contemplate why it would. A grid attack on American utilities would almost certainly result in immediate, serious retaliation by the US. Some cybersecurity analysts argue that Russia’s goal is simply to hem in America’s own cyberwar strategy: By turning the lights out in Kiev—and by showing that it’s capable of penetrating the American grid—Moscow sends a message warning the US not to try a Stuxnet-style attack on Russia or its allies, like Syrian dictator Bashar al-Assad. In that view, it’s all a game of deterrence.
“It would be hard to say we’re not vulnerable. Anything connected to something else is vulnerable.”
But Lee, who was involved in war-game scenarios during his time in intelligence, believes Russia might actually strike American utilities as a retaliatory measure if it ever saw itself as backed into a corner—say, if the US threatened to interfere with Moscow’s military interests in Ukraine or Syria. “When you deny a state’s ability to project power, it has to lash out,” Lee says.
People like Lee have, of course, been war-gaming these nightmares for well over a decade. And for all the sophistication of the Ukraine grid hacks, even they didn’t really constitute a catastrophe; the lights did, after all, come back on. American power companies have already learned from Ukraine’s victimization, says Marcus Sachs, chief security officer of the North American Electric Reliability Corporation. After the 2015 attack, Sachs says, NERC went on a road show, meeting with power firms to hammer into them that they need to shore up their basic cybersecurity practices and turn off remote access to their critical systems more often. “It would be hard to say we’re not vulnerable. Anything connected to something else is vulnerable,” Sachs says. “To make the leap and suggest that the grid is milliseconds away from collapse is irresponsible.”
But for those who have been paying attention to Sandworm for almost three years, raising an alarm about the potential for an attack on the US grid is no longer crying wolf. For John Hultquist, head of the team of researchers at FireEye that first spotted and named the Sandworm group, the wolves have arrived. “We’ve seen this actor show a capability to turn out the lights and an interest in US systems,” Hultquist says. Three weeks after the 2016 Kiev attack, he wrote a prediction on Twitter and pinned it to his profile for posterity: “I swear, when Sandworm Team finally nails Western critical infrastructure, and folks react like this was a huge surprise, I’m gonna lose it.”
CURT MERLO
The headquarters of Yasinsky’s firm, Information Systems Security Partners, occupies a low-lying building in an industrial neighborhood of Kiev, surrounded by muddy sports fields and crumbling gray high-rises—a few of Ukraine’s many lingering souvenirs from the Soviet Union. Inside, Yasinsky sits in a darkened room behind a round table that’s covered in 6-foot-long network maps showing nodes and connections of Borgesian complexity. Each map represents the timeline of an intrusion by Sandworm. By now, the hacker group has been the consuming focus of his work for nearly two years, going back to that first attack on StarLightMedia.
Yasinsky says he has tried to maintain a dispassionate perspective on the intruders who are ransacking his country. But when the blackout extended to his own home four months ago, it was “like being robbed,” he tells me. “It was a kind of violation, a moment when you realize your own private space is just an illusion.”
Yasinsky says there’s no way to know exactly how many Ukrainian institutions have been hit in the escalating campaign of cyberattacks; any count is liable to be an underestimate. For every publicly known target, there’s at least one secret victim that hasn’t admitted to being breached—and still other targets that haven’t yet discovered the intruders in their systems.
“They’re testing out red lines, what they can get away with. You push and see if you’re pushed back. If not, you try the next step.”
When we meet in ISSP’s offices, in fact, the next wave of the digital invasion is already under way. Behind Yasinsky, two younger, bearded staffers are locked into their keyboards and screens, pulling apart malware that the company obtained just the day before from a new round of phishing emails. The attacks, Yasinsky has noticed, have settled into a seasonal cycle: During the first months of the year, the hackers lay their groundwork, silently penetrating targets and spreading their foothold. At the end of the year, they unleash their payload. Yasinsky knows by now that even as he’s analyzing last year’s power grid attack, the seeds are already being sown for 2017’s December surprises.
Bracing for the next round, Yasinsky says, is like “studying for an approaching final exam.” But in the grand scheme, he thinks that what Ukraine has faced for the past three years may have been just a series of practice tests.
He sums up the attackers’ intentions until now in a single Russian word: poligon. A training ground. Even in their most damaging attacks, Yasinsky observes, the hackers could have gone further. They could have destroyed not just the Ministry of Finance’s stored data but its backups too. They probably could have knocked out Ukrenergo’s transmission station for longer or caused permanent, physical harm to the grid, he says—a restraint that American analysts like Assante and Lee have also noted. “They’re still playing with us,” Yasinsky says. Each time, the hackers retreated before accomplishing the maximum possible damage, as if reserving their true capabilities for some future operation.
Many global cybersecurity analysts have come to the same conclusion. Where better to train an army of Kremlin hackers in digital combat than in the no-holds-barred atmosphere of a hot war inside the Kremlin’s sphere of influence? “The gloves are off. This is a place where you can do your worst without retaliation or prosecution,” says Geers, the NATO ambassador. “Ukraine is not France or Germany. A lot of Americans can’t find it on a map, so you can practice there.” (At a meeting of diplomats in April, US secretary of state Rex Tillerson went so far as to ask, “Why should US taxpayers be interested in Ukraine?”)
In that shadow of neglect, Russia isn’t only pushing the limits of its technical abilities, says Thomas Rid, a professor in the War Studies department at King’s College London. It’s also feeling out the edges of what the international community will tolerate. The Kremlin meddled in the Ukrainian election and faced no real repercussions; then it tried similar tactics in Germany, France, and the United States. Russian hackers turned off the power in Ukraine with impunity—and, well, the syllogism isn’t hard to complete. “They’re testing out red lines, what they can get away with,” Rid says. “You push and see if you’re pushed back. If not, you try the next step.”
What will that next step look like? In the dim back room at ISSP’s lab in Kiev, Yasinsky admits he doesn’t know. Perhaps another blackout. Or maybe a targeted attack on a water facility. “Use your imagination,” he suggests drily.
Behind him the fading afternoon light glows through the blinds, rendering his face a dark silhouette. “Cyberspace is not a target in itself,” Yasinsky says. “It’s a medium.” And that medium connects, in every direction, to the machinery of civilization itself.
https://www.wired.com/story/russian-hac ... k-ukraine/
WATCH HACKERS TAKE OVER THE MOUSE OF A POWER-GRID COMPUTER
THE BEST WORK of hackers tends to remain invisible. But when sophisticated intruders broke into the computer networks of regional energy firms in Ukraine in 2015 and cut power to roughly a quarter million people, their tampering didn't go unnoticed. In this rare instance, the staff of one of those electric utilities managed to capture the hackers' handiwork on video, which you can watch above.
Two days before Christmas in 2015, engineers at the Prykkarpatyaoblenergo regional energy company in Western Ukraine found themselves locked out of their PCs. More troubling still, their mouse cursors moved of their own accord. The workers watched as hackers methodically clicked on circuit breakers in their grid operation software, each time opening the breakers and cutting power to another swath of the region.
RELATED STORIES
ANDY GREENBERG
How An Entire Nation Became Russia's Test Lab for Cyberwar
ANDY GREENBERG
'Crash Override': The Malware That Took Down a Power Grid
P.W. SINGER
How America Can Beat Russia in Cyber War, Despite Trump
In the process of reporting our cover story on those blackouts— and the larger cyberwar affecting Ukraine—WIRED obtained a video that one of those engineers shot with his iPhone, recording a "phantom mouse" attack as it happened. The PC shown in the video was a test unit, not actually connected to Prykkarpatyaoblenergo's grid equipment. But hackers used the same attack on every other networked computer connected to the company's live electric-control systems, spurring six-hours of blackouts that extended to the Ukrainian city of Ivano-Frankivsk.
In WIRED's investigation of that breach and another blackout that occurred in Ukraine a year later, we've tracked the evolution of those hackers: How they've graduated to using a digital weapon known as CrashOverride that can trigger Stuxnet-style automated attacks on infrastructure, and how those attacks may just be tests for future operations—perhaps against the United States. Read the full story here.
https://www.wired.com/story/video-hacke ... ter-mouse/
Users browsing this forum: No registered users and 53 guests